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Abstract. The behavior composition problem involves automatically building a 
controller that is able to realize a desired, but unavailable, target system (e.g., a 
house surveillance) by suitably coordinating a set of available components (e.g., 
video cameras, blinds, lamps, a vacuum cleaner, phones, etc.) Previous work has 
almost exclusively aimed at bringing about the desired component in its totality, 
which is highly unsatisfactory for unsolvable problems. In this work, we develop 
an approach for approximate behavior composition without departing from the 
classical setting, thus making the problem applicable to a much wider range of 
cases. Based on the notion of simulation, we characterize what a maximal con- 
troller and the "closest" implementable target module (optimal approximation) 
are, and show how these can be computed using ATL model checking technology 
for a special case. We show the uniqueness of optimal approximations, and prove 
their soundness and completeness with respect to their imported controllers. 

1 Introduction 

The behavior composition problem (e.g., ||2]|6][T2 19 1) involves the automatic synthesis 
of a controller that is able to "realize" (i.e., implement) a desired, though non-existent, 
complex target system by suitably coordinating a collection of partially controllable 
available behaviors. A behavior here refers to the abstract operational model of a device 
or program, generally represented as a non-deterministic transition system. Thus, in a 
smart building setting, one may look for a controller able to coordinate the execution of 
a set of devices installed in a house — music and movie players, game consoles, auto- 
matic blinds and lights, radios, etc. — such that it appears as if a complex entertainment 
system was actually being run. A solution to the problem is called a composition. 

The composition problem is appealing to a wide range of audiences. Indeed, with 
computers now present in everyday devices like mobile phones, credit cards, or places 
like homes, offices and factories, the trend is to build embedded complex devices from a 
collection of simple components. In addition, the problem can be related to several sub- 
areas of AI and CS, including web-service composition [10], reactive synthesis lfl4ll . 
agent-oriented programming 1 18 1, robot ecologies [15|, and automated planning [8|. 

While the behavior composition problem has been substantially studied in an AI 
context lately (e.g., |6][T2l[T9)X previous work has exclusively aimed at the synthesis 
of complete realisations of the desired target component — compositions that implement 
the desired component in its totality. This poses a major limitation in problem instances 
with no (exact) compositions. For such cases, a merely "no solution" outcome is ex- 
tremely unsatisfactory. The need to address this shortcoming has already been noted in 
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previous works |[T9ll20l . In this paper, we develop a qualitative account of approximate 
behavior composition that caters for instances admitting no exact solutions. 

Intuitively, the overarching idea is to look for those parts of the target module that 
can be realized with the available modules, and provide this as an (approximate) solu- 
tion. More precisely, given a target module, the task is to identify the closest alternative 
target module that can be fully realized with the behaviors at hand — the optimal ap- 
proximate target. Of course, it is expected that such alternative target will generally 
provide less functionalities than the original one. Indeed, some execution paths may 
be impossible to generate with the new target (e.g., it may no more be feasible to play 
video games when listening to music). Moreover, the alternative target may accommo- 
date less "freedom" of choices in executions (e.g., when requesting to watch a movie, 
one may now need to commit to whether one will be playing a video game or listen- 
ing to radio afterwards). Nonetheless, the user can request actions as per the alternative 
(approximate) target and be guaranteed her requests will always be fulfilled. 

Observe that in this paper we assume a setting of strict uncertainty, in that the space 
of possibilities (behaviors' evolutions and target requests) is known, but the probabil- 
ities of these potential alternatives cannot be quantified [7|. This contrasts with our 
previous approach [20 1, which assumes all such probabilities have been specified for 
the domain and then looks for the "best" controller possible from a decision-theoretic 
perspective. Consequently, our account here can be seen as the next natural extension of 
the "classical" composition framework found in the literature, in that no no additional 
domain information is assumed. We shall discuss and compare this further in Section|6] 

The rest of the paper is organized as follows. In the next two sections, we introduce 
the composition framework as known in the literature. Besides providing the standard 
notion for exact compositions (complete solutions to the problem), we also introduce 
the notion of maximal compositions, as controllers that can do as well as any other con- 
troller. After that, we develop the main contribution of our work, namely, the notion of 
optimal target approximations as the best alternative target behaviors that can be fully 
realized in the system at hand. We demonstrate that "importing" controllers from opti- 
mal approximations amounts to using maximal controllers (for the original target), thus 
providing correctness for optimal approximations. In addition, we show that the im- 
ported controllers of an optimal approximation together realize the same set of traces as 
those realized by maximal controllers (together as well), thereby providing a complete- 
ness result. More importantly, we prove that optimal approximations are in fact unique 
(up to simulation equivalence), a very interesting and unexpected property. Finally, we 
describe how optimal approximate targets can be computed for the special case of de- 
terministic systems (as, for example, in the context of service composition; e.g, (21 0) 
by reducing the problem to ATL model checking, opening the door for advanced model 
checking tools. We close the paper with a short discussion and conclusions. An ex- 
tended version of the paper, including proofs, can be found in the Appendix. 

2 The Behavior Composition Framework 

In a behavior composition setting, a set of available behaviors are meant to jointly 
bring about a virtual target behavior (6][T2l[l9)- We follow the composition framework 
in [17 1 with two minor modifications. For simplicity, we do not deal with the so-called 
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environment, the shared space where behaviors are meant to execute. Nonetheless, all 
results presented here can be easily generalized to account for an environment. Second, 
we shall generalize target behaviors to non-deterministic transition systems. 

Behaviors A behavior stands for the operational model of a program or device. In 
general, behaviors provide, step by step, the user a set of actions that it can perform 
(relative to its specification). At each step, the behavior can be instructed to execute one 
of the legal actions, causing the behavior to transition to a successor state, and thereby 
providing a new set of applicable actions. 

Formally, a behavior is a tuple B = (B,A,bo,g), whereQ 

- B is the finite set of behavior's states; 

- A is a set of actions; 

- 60 € B is the initial state; 

- Q Q B x Ay. B is the behavior's transition relation, where (b, a, b') € g,oxb — % b' 
in £>, denotes that action a executed in behavior state b may lead the behavior to 
successor state b' . 

Note that we allow behaviors to be non-deterministic, that is, given a state and an 
action, the behavior may transition to more than one state. This implies that one cannot 
know beforehand what actions will be available to execute after an action is performed, 
as the next set of applicable actions would depend on the successor state in which 
the behavior happens to be in. Hence, we say that non-deterministic behaviors are only 
partially controllable. A deterministic behavior is one where there is no state b € B and 
action a g A for which there exist two transitions b — % b' and b — b" in B with b' ^ 
b". A deterministic behavior is fully controllable. For the sake of legibility and easier 
notation, we shall assume, wlog, that behaviors capture non-terminating processes and 
hence do not have any terminating state with no outgoing transition]^] 

System and Enacted System A system is a collection of behaviors at disposal. Techni- 
cally, an (available) system is a tuple S = (£>i, . . . , B n ), where Bi = (Bi,Ai, bio, Qi), 
for i E {1, . . . , n}, is a behavior, called an available behavior in the system. 

To refer to the behavior that emerges from the joint execution of behaviors in a 
system, we use the notion of enacted system behavior. The enacted system behavior of 
an available system S (as above) is a tuple £g = (Ss, A, {1, . . . , n}, sso, 5s), where: 

- Ss = B% X • • • X B n is the finite set of £s's states; when s$ — . . . , b n ), we 
denote bi by behi(ss), for i £ {1, . . . , n}; 

- A = U™=i i s tne set °f actions of £$; 

- sso € Ss with behi(sso) — ho, for i € {1, ... , n}, is £s's initial state; 

- Ss C Ss X A X {1, . . . , n} X Ss is fs's transition relation, where (ss, a, k, s' s ) e 

Ss, or ss ^\ s' s in £s, iff: 
• beh k {s s ) beh k {s' s ) in B k ; and 

1 With no shared environment in this paper, behaviors are not equipped with guard conditions 
(as done in [6 19|) and the set of actions A are included in their definitions. 
As customary, e.g., in LTL verification, this can be easily achieved by introducing "fake" loop 
transitions. 
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Fig. 1. A smart house scenario with four available behaviors. Target Tent cannot be fully realized 
in the system, but its optimal approximation 7ent can. 



• behi{s s ) = behi(s' s ), for i e {1, . . . ,n} \ {k}. 

The enacted system behavior £$ is technically the asynchronous product of the 
available behaviors. The index k in transitions makes explicit which behavior is per- 
forming the action in the transition — all other behaviors remain still. 

Target A target behavior T — (T, At, to, Qt) is a, possibly non-deterministic, behav- 
ior that represents the desired functionality to be obtained (through the available sys- 
tem). In contrast with all previous works, we allow for non-deterministic target specifi- 
cations. Nonetheless, the objective is not to capture incomplete information, and hence 
partial controllability, of the target module, but to be able to accommodate action re- 
quests carrying more "information." This will come handy for our account of approxi- 
mation. Thus, in order to preserve the full controllability of the target, we shall consider 
requests in terms of target transition, rather than just actions. 

Informally, the behavior composition task is stated as follows: Given a system S 
and a target behavior T, is it possible to (partially) control the available behaviors in 
S in a step-by-step manner — by instructing them on which action to execute next and 
observing, afterwards, the outcome in the behavior used — so as to "realize" the desired 
target behavior. In other words, by adequately controlling the system, it appears as if 
one was actually executing the target module. (See next section for more details.) 



As noted by De Giacomo and Sardina|||6]], the behavior composition problem is re- 



lated to planning (under incomplete information) [8 1, being both synthesis tasks, though 
here, we look for whom to delegate the next action at each step (whatever such action 
happens to be at runtime), rather than what those actions should be. 

Figure [T] depicts a universal home entertainment system in a smart house scenario. 
Target Tent encapsulates the desired functionality, which involves first switching on 
the lights when entering the room, then providing various entertainment options (e.g., 
listening to music, watching movies, browsing the Web, etc.), and finally stopping active 
modules and switching off the lights. There are four available devices installed in the 
house that can be used to bring about such desired behavior, namely, a game device Bq, 
an audio device Ba, a movie device Bm, and the lights controller Bl- Note that action 
WEB in the device Bg is non-deterministic, as it may bring the module into states a? or 
a%. If the device happens to evolve to state 0,3, then, for some reason, it is not enough 
to stop the device to reset it: the device needs to be completely unplugged. 
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3 Controllers and Compositions 

Next, we formally define what constitutes a solution for a behavior composition prob- 
lem. In doing so, we shall not only look at the problem from a binary perspective — 
solvable vs unsolvable-but instead provide a qualitative account of "optimal" solutions. 
From now on, let S = (J3\, . . . , B n ) be an available system and T = (T, A, to, qt) be 
a target behavior to be realized on S. 

Controller A controller is a component able to activate, stop, and resume any of the 
available behaviors, and to instruct them to execute an (allowed) action. The controller 
has full observability on the available behaviors; that is, it can keep track (at runtime) 
of their current states — if details have to be hidden, this can be done by means of non- 
determinism within the abstract behaviors exposed. 

To formally define controllers and solutions, we rely on the notions of traces and 
histories. A trace for a given enacted system £$ — (Ss,A, {1, . . . , n}, s$q, 5s) is a, 

a 1 k 1 a 2 k 2 

possibly infinite, sequence of the form s — ^ s — ■> ■ ■ • such that (i) s° = sso', 

and (ii) s° — '-^ s 3+ in £$, for all j > 0. A history is just a finite prefix h = 

s° a — V • ■ ■ a — V s l of a trace. We denote s e by last(h), I by \h\ (i.e., the length of h), 
and sequence a 1 ■ . . . ■ a 1 as [h] (i.e., the projection on actions). Traces and histories 
can also be defined for a behavior B in a similar fashion: behavior traces have the form 
s° s 1 ■ ■ ■ such that (i) s° = b a ; and (ii) s j °—> s-? +1 in B, for all j > 0. We 
use %s an d T~Lb to denote the set of system histories (i.e., histories of £$) and histories 
of behavior B, respectively. 

A controller for target T on system S is a partial function C : Hs x (T x AxT) n- 
{1, . . . , n}, which, given a system history h € Hs and a requested target transition 
(t, a, t') £ qt, returns the index of an available behavior to which the action a is dele- 
gated for execution. For legibility, we shall write C(h, t\ t?) to compactly denote 
C(h, t\ , a, £2)- Note here the slight departure form previous notions of controllers (e.g., 
lH [17] UU), in that a controller now receives a complete target transition as the next 
request, not just an action. While this has no impact when dealing with deterministic 
targets, it guarantees full controllability for nondeterministic ones. 

Intuitively, a controller (fully) realizes a target behavior if for every trace (i.e., run) 
of the target, at every step, the controller returns the index of an available behavior 
that can perform the requested action. Formally, one first defines when a controller 
C realizes a trace of the target T. Though not required for this paper, the reader is 
referred to (6] Q2) for details on how to formally characterize trace realization. We 
denote A^ s ^ the set of traces of T that controller C is able to realize in system S. 
Then, a controller C realizes the target behavior T iff it realizes all its traces. In that 
case, C is said to be an exact composition for target T on system S. 

Now, suppose we are given a target behavior T and an available system S, and that, 
as expected in many domains, there is no exact composition for T on S — the target 
cannot be completely realized in the system. This is indeed the case in our example, as 
there is no exact composition for Tent in the house system. Merely returning a negative 
"no solution" outcome is highly unsatisfactory. The question then is: what does it mean 
for a controller C\ to achieve "a better realization" of T on S than controller C2? 
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To answer such a question in a qualitative manner, we rely on the extent at which 
controllers are able to honour arbitrary long set of target requests. We say that controller 
C\ dominates controller C2, denoted C\ > C'2, iff A^ ^ C A^ ^ — C\ can honour 
all request sequences that C2 can honour, and possibly more. As usual, C\ > C2 is 
equivalent to C\ > C2 but C2 ~jt_ Ci> mat i s > A,£ 7-) c ^(S TV ^ contr °H er C i s sa id 
to be a maximal composition (for a target on a system) ij^ for every other controller 
C, if C > C, then C > C (or equivalently C" / C). In other words, maximal 
compositions are those for which there is no other controller that can realize strictly 
more runs of the target behavior in the system. We use MaxComp(<S, T) to denote the 
set of all maximal compositions for target T on system S. 

Consider the following two controllers for our smart house. Whereas controller C\ 
allocates all requests to the light device Bl, controller C2 delegates media and light 
requests to the audio Ba and light Bl devices, respectively. Then, C\ realizes just one 
target trace, that is, A^ ^ = {to LI 22ip N ^J. Qn the other hand, C2 realizes such 

, LIGHTON , MOVIE . RADIO , STOP r- s 

a trace as well as trace to — > ti — > — > 13 — > t± (and all its prefixes). 
Therefore, A?g ~ C A?g ^ and C2 > C\ holds. The reader may notice that even 
better controllers than C2 exist when all four behaviors are used. 

As expected, whenever a behavior composition problem admits an exact 
composition — the target is fully realizable — the set of exact compositions coincides 
with that of maximal compositions. When full realizations are impossible, though, max- 
imal compositions capture the best controllers that one could hope for. 



4 Target Approximation 

Whereas maximal compositions, as defined above, provide a way of handling instances 
with no exact solution, they do not convey useful insights on how well such instances 
can be solved. Even if we are given the set of traces that a maximal composition realizes, 
it will be difficult to reconstruct what it means in terms of the problem specification. 
As a consequence, using a maximal non-exact composition may yield dead-end execu- 
tions where no further actions can be honoured. What is more, while there are various 
techniques to construct exact compositions (e.g., l6l [T6l[T9l ), it is far from clear how to 
build maximal composition controllers. 

So, in this section, we will look at "approximation" from a different perspective 
that is arguably more intuitive and computationally more amenable than dealing with 
controller functions, namely, we are concerned with what parts of the target can in fact 
be brought about. More concretely, we are interested in the following task: 

Given an available system S and a target behavior T, find an {approximate) 
target behavior T that can be fully realized on S (by some controller C-f) and 
such that T is "as close as possible " to the original target behavior T. 

We call this the approximate behavior composition problem. Once an approximate 
target T is obtained, one may either use such new target directly or consider "importing" 
its exact compositions into the original target module T. Hopefully, in the latter case, 
the imported controllers will turn out to be the best possible controllers for the original 



Qualitative Approximate Behavior Composition 7 



target. These are arguably the main ideas of our work and what we shall develop below. 
Before doing so, we should point out that defining approximate targets based merely on 
trace/language inclusion is not sufficient. While two targets may yield exactly the same 
sequences of requests, one may accept an exact composition while the other may not. 
In our smart house scenario, for instance, the two sequences LIGHTOn ■ MOVIE • GAME • 
STOP and LIGHTOn • MOVIE • RADIO • STOP may be realized by the same controller for 
the approximation Tent, but not for the original target Tent- 

In order to capture approximate targets, we make use of the formal notion of sim- 
ulation lfl3l . A simulation relation captures the similarity in the behavior of two tran- 
sition systems. Intuitively, a (transition) system Si "simulates" another system S2 if 
Si is able to match all of SVs moves. We make this precise for our (target) be- 
haviors as follows. Let % = (Ti, A,Uo, Qi), where i G {1,2}, be two target be- 
haviors. A simulation relation of 72 by 71 is a relation Sim C T 2 x Ti such that 
(*2>*i) S Sim implies that for every transition (t2,a,t' 2 ) G Q2 in T2, there exists a 
transition (t±,a, t'i) G Qi in 71 such that {t' 2 ,1^} G Sim. We say that a state t 2 G T 2 
is simulated by a state ti G T\ (or t\ simulates t 2 ), denoted t 2 d ti, iff there exists 
a simulation relation Sim of T 2 by 71 such that (t2,t{) G Sim. Observe that relation 
X is itself a simulation relation (of 7i by 71), and in fact, it is the largest simulation 
relation, in that all simulation relations are contained in it. Informally, t 2 d ti means 
that ti in 71 can "mimic" all moves of t 2 in T2, and that this property is propagated in 
their corresponding successor states. We say that a target behavior 71 simulates target 
behavior T 2 , denoted T2 ^ 71, if it is the case that t 2 o ^ £io> that is, their initial states 
are in simulation and, as a result, 71 can always mimic T2 from the start. In our exam- 
ple, t 2 and ti in Tent simulate states u 4 and u\, respectively, in Tent (i- e -, u 4 di t 2 and 
u i d but not the other way around (i.e., t 2 ^ U4 and ti ^ u{). Two targets are said 
to be simulation equivalent , denoted 71 ~ T2, whenever they simulate each other. 

We then argue that a qualitative comparison of target approximations can be 
achieved based on their simulation "hierarchy" (see that ^ is a pre-order). We say that 
a target behavior T approximates target T on system S (or T is an approximation of T 
on S) iff T r< T and there is an exact composition for T on S (i.e., T is simulated by 
T and it can be fully realized on available system S). 

Despite being fully solvable, an approximation will generally provide "less" than 
the original target. First, an approximation may be missing certain executions alto- 
gether. In the smart house scenario, approximation Tent does not account for the action 
sequence lightOn • music ■ game ■ stop • lightOff. Second, an approximation may 
require the user to commit earlier to future possible request choices. In that sense, a user 
of target Tent needs to decide when requesting MOVIE in state Ui if she will later play 
a GAME or listen to RADIO. Notice such extra "temporal" information is not required at 
state ti in original target Tent- It is exactly to accommodate this feature that we have 
departed from the standard view of deterministic targets. 

Of course, between full realization and the trivial empty approximation, there lies a 
whole spectrum of approximating targets. Among these, we are interested in those that 
are "closest" to the original target, in that the minimum possible is given up. We say 
that a target behavior T is an optimal approximate of target T on system S iff: 



1. T is an approximation of T on S; and 
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2. there is no target behavior T' that approximates T on S such that T -< T', that is, 
T cannot be approximated by a strictly more general target module. 

Intuitively, an optimal target approximation is a maximal representation of those 
aspects of the original target that can be completely implemented. When the target 
behavior does admit a full realization in the system, the optimal approximation is then 
expected to represent the target module in all its extent. 

Theorem 1. Suppose there is an exact composition for target T on system S. Then, T 
is an optimal approximation ofTonSiffT^T. 

Importantly, there can only be one way of optimally approximating a given target. 

Theorem 2. An optimal approximation T of a target T on a system S is unique upto 
simulation equivalence. 

We observe that, for non-deterministic transition systems, simulation is a stronger 
measure of equivalence than language inclusion [9|. Therefore, if a target T approxi- 
mates another target T, then the action request sequences resulting from the traces of 
T will be a subset of those produced by T. It follows then that if Cj- is an exact com- 
position for T, then Cj- ought to be able to handle a subset of T's request sequences. 



4.1 Imported Controllers 

In contrast with maximal controllers, optimal approximations are specified in the same 
language as the original problem. The user can thus decide to request actions as per 
the new (approximate) target with guaranteed full realizability. Nonetheless, one may 
still ask in which sense these solutions are "correct." To answer that, we show that 
using an exact composition for an optimal approximation amounts to using a maximal 
composition for the original target. To that end, we define what it means to "import" a 
controller Cf designed for one target module T' into another target module T. 

We start by defining the family of functions that are meant to explain sequences 
of action requests in a target. Informally, the function Exploit) outputs a history of 
the target T compatible with the given sequence of actions a. Formally, a function 
EXPL7- : A* H> Hj- is a target explanatory function for a target T if for any action 

sequence a — a 1 ■ . . . ■ a 1 6 A*, with £ > 0, it is the case that ExPL-j-(a) = t° -^-» 

■ ■ ■ — > t e € Hf - In general, there will be many of such functions, since the same 
sequence of action requests can arise from different runs of a non-deterministic target. 
For instance, sequence LIGHTOn • MOVIE can be explained in two ways on target 7ent, 

. . . . ^ . lightOn movie . LIGHTON movie 

namely, via histories uo — > u\ — > u-i and uo — > U\ — > 114. 

Using target explanatory functions, we next characterize the set of so-called in- 
duced controllers. Suppose we have a controller Cf for a target T' (on a system S). 
An induced controller (from controller Cf) for a target behavior T is one that han- 
dles requests from T as if they were requests issued as per module T' . Recall that a 
controller for a system S outputs the behavior index to which a given transition-action 
request is delegated to at a certain system history. Formally, then, we say that Cj- is 
an induced controller (from controller Cf on target T') for target T over system S 
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if there exists a target explanatory function Expl-7-<(-) for T' such that for every sys- 
tem history h £ Us an d transition t\ — % t<i in T, the following holds (recall that [h] 
denotes the sequence of actions in history h): 

C?(h,t 1 ^t 2 )=l Cr '( h > t 'i^ t 'J Exp Lr ,([/i]-a)=i° ^■■■"^t' 1 ^t' 2 
[undefined ExPLj-'([/i] • a) is undefined 

That is, T's request t\ — — > £2 is delegated at history /i as controller C-p would delegate 
request t[ — t' 2 from target T 1 if ft's requests leave target T 1 in state and the 
current requested action a is indeed explained by transition request t[ t' 2 in T'. 
When there is no explanation in the T' — Expl(-) is undefined — the induced controller 
is left undefined. Note that different ways of explaining original target's sequences of 
requests (i.e., different explanatory functions) yield different induced controllers. 

Finally, an imported controller is a maximal (i.e., non-strictly dominated) controller 
within the family of induced controllers — the "best" induced controllers. Technically, 
the set of imported controllers from C on T into target T', denoted [2j c j-. is the set of 

all controllers C for T' such that ( i) C is an induced controller from C on target T for 
T'\ and (ii) there is no other induced controller C such that C > C. 

First, we show that better target approximations amount to better, or more precisely 
"never worse," imported controllers. 

Theorem 3. Let 71 and 72 be two target approximations of target T on system S, and 
let C'i and C'2 be exact compositions of 71 and T% resp. Suppose also that 7i ^71 
(i.e, 71 simulates 1~2 )■ Then, for every controller C\ £ fij~ ~ , there is no controller 

(Ci,Ti) 

C2 G &Tsi ^ ^ such that C 2 > C\ holds. 

(G2.T2) 

In other words, if 71 is as good an approximation as 72, then 71 's imported con- 
trollers will not be worse than those imported from 72- More importantly, the next 
result demonstrates that importing controllers from an optimal approximation yields 
maximal compositions (for the original target being approximated), and that, together, 
they account for every trace of the original target that could ever be realized. In other 
words, fff=, ^. is sound and "complete." 

Theorem 4. Let T be an optimal approximation of target T on system S, and C be an 
exact composition for T- Then, 

- For all C £ Qj^ it holds that C £ MaxComp(5, 7~); and 

" Uceaj- - A fs,T) = UceMAxCoMP(s,T) A ?S,T)> that is ' al1 im P orte d controllers 
account together for all realizable target traces. 

These two results are important in that they establish the relationship between ap- 
proximating the target and optimizing its controller: optimizing targets implies opti- 
mizing controllers. A direct and expected consequence of Theorems [TJ and [4]is that if 
the optimal approximation is simulation equivalent to the target, then every imported 
controller from such approximation is in fact an exact composition. 
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5 Computing Optimal Approximations for Deterministic Systems 



Various techniques have been used to actually solve classical behavior composi- 
tion problems, including PDL satisfiability [6], direct search-based approaches lfl9l . 
LTL/ATL synthesis [16], and computation of special kind of simulation rela- 
tions [TTl . Unfortunately, all those techniques synthesize exact composition con- 
trollers. In the context of our work, we are interested in computing optimal target ap- 
proximations instead. We show how this can be effectively done for the special case of 
deterministic available behaviors, as in the case of service composition 13]. 

De Giacomo and Felli has shown that the controller generator (i.e., a structure 



representing all exact compositions) can be synthesised by resorting to Alternating-time 
Temporal Logic (ATL) model checking. ATL [ 1 ] is a logic for reasoning about the abil- 
ity of group of agents (i.e., coalitions) in multi-agent game structures. The advantages of 
reducing the composition problem to that of ATL reasoning is that it provides access to 
some of the most advanced model checking techniques and tools, such as MCMAS ifTTll . 
that are in active development within the agent community. 

ATL formulae are built by combining propositional formulas, the usual temporal 
operators — namely, O (" m the next state"), □ ("always"), O ("eventually"), and U 
("strict until") — and a coalition path quantifier ((A)) taking a set of agents A as pa- 
rameter. Intuitively, an ATL formula ((A)) <fr, where A is a set of agents, holds in an 
ATL structure if by suitably choosing their moves, the agents in A can force cf> true, no 
matter how other agents happen to move. The semantics of ATL is defined in so-called 
concurrent game structures where, at each point, all agents simultaneously choose their 
moves from a finite set, and the next state deterministically depends on such choices. 

In order to reduce a behavior composition problem to an ATL model checking prob- 
lem, De Giacomo and Felli! basically define an ATL structure .Ms, 7- with one agent 
per available and target behavior, and one distinguished agent contr representing the 
controller. A state (6j , . . . , b n , t s , a, , k) in such a model encodes the current state b t 
of each available behavior, the current state t s of the target, the current action a being 
requested by the target, the next target state given the request, and the index of the 
available behavior to which the last action was delegated to. The initial states of Ais,T 
encode all possible initial configurations of the composition framework — initial states 
for all behaviors and a legal initial request. Also, the structure is made to encode all le- 
gal evolutions of the composition instance. The task then involves model checking the 
special formula ip = ((contr))0(/\ i=1 n statei ^ error{) (against structure .Ms,t)|^] 
which states that the controller agent has a strategy so that none of the n available be- 
haviors end up in an error state. A behavior arrives to a distinguished "error"state if it is 
ever delegated an action that it cannot perform. As a result, the controller agent ought to 
make sure it always delegates actions in the right way so as to satisfy every potential re- 
quest, that is, it has to solve the composition problem. Finally, [De Giacomo and FeUi 
Definition 2 & Theorems 3 and 4] show how to extract a correct controller generator — a 
structure representing all exact compositions — from the set of winning states [<p]ms t> 
namely, all those states q in .Ms.T sucn that q \= cp. Intuitively, a winning state for 



3 We note that 1 5 1 deals with final states where the composition execution may stop. For sim- 
plicity, we have not dealt with final configurations here, but one can easily accommodate them. 
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them is one in which the current request is legally honored to some available behavior 
and all corresponding successor states are winning. 

Surprisingly, it turns out that one can readily adapt De Giacomo and Felli[s re- 
duction to actually synthesize an optimal approximation for a, possibly non-solvable, 
deterministic composition problem (and to extract the corresponding controller genera- 
tor). Though it looks counter-intuitive, the key for this is to include the target behavior 
in the coalition so that the joint-strategy also includes selecting which transition from 
the actual target may be requested. In other words, we are instead to model check the 
following formula against structure Ms,T- 

<p = ((contr, tgf))n( A statet ^ error \). 

i—l,...,n 

In this case, a winning state in r i s one m which the target requests actions 

such that the controller can (always) legally honor them to an available behavior, and 
has some corresponding successor winning state. Observe here the implicit existential 
quantification on the requests, as compared with the universal quantification implied in 
|De G iacomo and Felli |5]'s encoding for exact composition synthesis. 

Intuitively, the idea behind formula dp, as opposed to formula ip, is that the coalition 
is now in control of what can be requested (and what should not be). This suggests that 
the coalition has the ability to select which parts of the target can be executed with- 
out driving the available system into an "error" state (due to an impossible fulfilment 
of a request). It follows then that one can extract an optimal approximation from the 
maximal winning set [(pjwis t> as the following result demonstrates. 

Theorem 5. Let S — (B\ , . . . , B n ) be a system and T — (T, A, to, qt) a target mod- 
ule. Then, behavior T = (T, A, to, g) is an optimal approximation for T on S, where: 

- f= {(&!, . . .,b n ,t s ) | (bi, . . . ,b n ,t s ,a,t d ,k) € [<p]m s ,t} u {M>' 

- to — (bio, ■ ■ ■ j b n o 1 to) is the initial state ofl~; 

- g((b\, . . . ,b n ,t s ) ,a, (bi, . . . ,b' n ,td)) iff for some action a' G A and indexes 
k,k € {1, ... , n}, it is the case that: 

• (h, . . . ,b n ,t s ,a,t d ,k), (b[, . . . ,b' n ,t' s ,a' ,t' d ,k') G [0] M • and 

• (bi, . . . , b n , t s , a, td, k) may transition to (b[, . . . , b' n , t' s , a 1 , t' d , k) in M.s,T- 

It is not hard to see that the controller generator ifTTl for T can be extracted by 
keeping those behavior delegations that transition a winning game state into another 
winning state in M.s,T- I n terms of computational complexity, the model checking task 
on ATL can be done in polynomial time wit to the size of the game structure [ 1 1. Since 
the size of such space is exponential on the number of available behaviors, computing 
the optimal approximation can be done in exponential time (for deterministic systems). 
Observe that, in the worst case, the approximation problem itself is (at least) exponen- 
tial, as it subsumes the classical behavior composition problem (which is known to be 
EXPTIME-complete even under deterministic behaviors). Indeed, in order to check if a 
problem has an exact composition one can compute its optimal approximation and test 
(in polynomial time) if it is simulation equivalent with the original target. 

The full details of the ATL encoding, together with an implementation in MCMAS 
of our running example, can be found in the Appendix. 
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6 Discussion 

We have proposed a qualitative framework for approximate behavior composition in 
which the task is to find the closest possible target module that can be implemented with 
the available modules. To that end, we relied on the formal notion of simulation and that 
of imported controllers for the specification of the problem, and on ATL model checking 
for actual computation of solutions for the special case of deterministic systems. To our 
knowledge, this is the first account that is able to accommodate behavior composition 
instances with no complete solutions — arguably the most common ones — while still 
remaining within the original problem formulation. 



Initially, the work of Girard and Pappas J9J appeared to be extremely related to our 



objectives, as it proposes a notion of transition system approximation based on the no- 
tion of simulation. However, their work differs in what is being approximated. In the 
most general notion of simulation, only some aspects of states are observable and two 



states in simulation are meant to coincide on their observable aspects. In |Girard and 



Pappas s account, an approximate transition system is allowed to differ on such observ- 
ables up to some extent: s simulates s' implies s can (always) replicate all moves of 
s' and s's observation is "similar" to that of s'. It follows then that the approximating 
transition system must still be able to mimic all actions of the approximated system. In 
our framework, there is no notion of state observations (every state has the same obser- 
vations) and hence we only focus on the similarities of states in terms of the potential 
behavior they can generate. We believe though that one can use their account of approx- 
imation when performing composition within a shared environment (as in l6l [P9l ). so 
as to allow the environment to evolve "close enough" to what is necessary. 

Confronted with a behavior composition problem instance admitting no complete 
solution (i.e., no exact composition) one can, of course, think of other approaches or- 
thogonal to the one developed here. For example, one may look for additional available 
behavior modules or enhancement of existing ones with new capabilities that will re- 
cover exactness. In some cases, simply adding extra "copies" of existing modules could 
be enough. Thus, installing an extra video camera in the house may turn the problem 
solvable. One could also consider a framework where essential and optional function- 
alities can be specified, and look for controllers that fully realize the former ones while 
optimizing the latter ones. We shall focus on these ideas on future work, as well as 
on generalizing the actual synthesis techniques from Section[5]to nondeterministic sys- 
tems, possibly relying on more expressive games using GR(1) formulas J4). 

The only approach, as far as we know, to deal with unsolvable composition instances 
is the one we pursued previously in [20 1 within a decision-theoretic framework. There, 
the idea is to look for a controller that maximizes the "expected realizability " of the tar- 
get behavior. There are however two major differences with our current proposal. First, 
their controller may in some runs yield dead-end situations, that is, states from where 
no further target request can be fulfilled. Under our framework, the user (of the target) 
can never arrive to those "error" situations, as the optimal approximation is always fully 
implementable. Second, in our work we kept the strict uncertainty setting from the com- 
position problem found in the literature — no extra knowledge of the domain is assumed 
to be available. We note that it is well known that strict uncertainty cannot always be 
reduced to a setting where the uncertainty can be measured Q. Nonetheless, it would 
be interesting to be able to accommodate extra domain knowledge when available. 
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A Appendix 

A.l Computing optimal approximations for deterministics behaviors 

Here, we detail the use of ATL model checking technique to compute the optimal target 
approximation for problem instances involving deterministic available behaviors. First, 
we show how to construct a concurrent game structure for ATL from a given behavior 
composition problem. Following that, we present the formula to check in such a model 
in order to get the optimal approximation. 

So, let S = (Si, . . . , B n ) be a system, with deterministic available behaviors Bi = 
(Bi, Ai, bio, Qi), for 1 < i < n, and let T = (T, A, to, qt) be a target behavior. We 
start by modifying each available behavior Bi by adding a new disconnected error state 
erri, for each 1 < i < n. The error state captures wrong delegations by the controller, 
i.e., a behavior reaches the error state if it cannot execute the delegated action from its 
current state. Let PoST^s, a) denote the set of successors states of behavior Bi after 
executing action a from its state s. Formally, PoST^s, a) — {s' \ (s, a, s') e Qi}. 

We define the concurrent game structure, for a system S and target T, as the tuple 
Ms,t = ({1, ■ ■ ■ , n, tgt, contr}, Q, 77, n, d, 5), where: 

- There are n + 2 players, one per available behavior (agents 1, . . . , n), one agent for 
the target module (agent tgt), and one agent for the controller (agent contf). 

- The states Q of the game structure consists of the following finite range functions: 

• state i e Bi U {erri} returns the current state of behavior Bi, 

• sch e {i, . . . ,n} returns the index of the available behavior that performed the 
last transition request; 

• req G qt returns the next transition request of the target. Given a transition 
request r = (t s , a, to), we denote its action a by act(f). 

- II is the set of propositions asserting value assignments to the above defined func- 
tions. 

- 7r is the mapping from a game state q to the values returned by the above defined 
functions. For convenience, we write statei(q) = b instead of {state-, = b) e 7r(g). 

- The function d(j, q) captures the moves available to player j at state q, and is de- 
fined as follows: 

• Available behaviors (j e {1, . . . , n}): 

{{errj}, if POST j (state j(q),act(req(q)) =0 
{s | s € POST j (state j(q),act(req(q))}, otherwise. 

• Target behavior: 

d(k -l,q) = {(t s ,a,t d ) e g T | req(q) = (t' s ,a',t s ) for some t' s ,a'}. 

• Controller: d(k, q) = {1, . . . , n}. 

- S : Q x IIl l =1 (Bi U {erri}) ^ Q is the game transition function, where 

S(q,ji,---,jk) =q' if: 

• sch(q') = j k ; 

• state^q') = J* if i = jk\ 



Qualitative Approximate Behavior Composition 15 



• statei(q') — state(q) for i £ {1, . . . ,n}\ jk', and 

• req(q') = jk-i- 

We observe that our model is similar to the one used in [5] except for the target 
agent's requests involve transitions rather than actions. 

Lastly, we model check the following ATL formula in the structure model Ais.T'- 

<p = ((contr, tgt))n( A stata ^ error 'j). 

i— l,...,n 

In particular, as Theorem [3] demonstrates, the winning set T provides the basis 

for building an optimal approximation target. The code for the implementation of the 
example in MCMAS can be found at the end of the appendix. 



A.2 Proofs 

Theorem 2. An optimal approximation T of a target T on a system S is unique upto 
simulation equivalence. 

Proof. Let % = (T^A, tio, Qi) where i £ {1, 2} be two optimal approximations 
of T on S (wlog we assume T\ and T 2 are mutually disjoint). Let C\ and C 2 be exact 
compositions of 2\ and T 2 on S, respectively. Assume 71 and 1~ 2 are not simulation 
equivalent, i.e., T\ ^ 1~2 and We will show that in such a case T\ and T 2 are 

not optimal approximations of T on S. Consider a target behavior T = (T, A, to, g) 
defined as follows: (i) T = T x U T 2 \ {t 10 , t 20 } U {t }; (ii) g = g[ U g' 2 , where £ is 
same as Qi except that tio is replaced by to in the transition relations. See that T is the 
result of joining 7i and T2 at their initial state, and T simulates both 71 and i.e., 
7i -< 7~, T 2 -< T ■ Since by definition, 71 -< T and T 2 <T, and T is union of 71 and 
Ts, it holds that T <T. Therefore, 7i -< T d T and 7^ -< T d 7". 

Next, consider a controller C for T such that it is union of C\ and C 2 . That is, 
C(h,t t') = d{h,t-^ t'), if <t,a,f) € gi; C(h,t t') = C 2 (h,t *'), 
if (t, a, t') € g'; C(^i i — ^ = u > otherwise. Since Ci , C2 are exact compositions 
of 7i, 72 on 5, respectively, C is an exact composition of T on 5. Therefore, T is an 
approximation of 7~ on 5. Since 7i and 72 are simulated by T, they are not optimal 
approximations of T on 5. □ 

Theorem 3. Lef 7i one/ 72 fee fwo target approximations of target T on system S, and 
let C\ and C 2 be exact compositions o/7i and T% resp. Suppose also that 1~ 2 < 7i 
f/.e, 7l simulates T%). Then, for every controller C\ £ fij- there is no controller 

C2 € \ such that C 2 > Ci holds. 

(c-2,72) 

Proof. Assume controllers Ci and C2 as above such that C2 > C\. Let Expl^ 
and Expl^- 2 be the target explanatory functions that C\ and C 2 are built upon, resp. 
Now, consider a target explanatory function Expl^ for 7i such that Expl!^- ([h]) sim- 
ulates Expl^([/i]) state-wise (i.e., at each step). Note such function Expl^ exists 
since 7~i simulates 7~ 2 . Next, consider the imported controller C[ £ Qj~ ^ built upon 

(Gi,7i) 

target explanatory function Expl^ . It is not hard to prove that, because traces obtained 
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using Expl^- simulate those obtained using Expl^, C[ > C2 holds (i.e., C[ domi- 
nates C 2 ). Since, by assumption, C 2 > C\, it follows that C[ > C\, a contradiction 
since C\ is not strictly dominated by any induced controller from Cf to T. □ 

Theorem 4. Let T be an optimal approximation of target T on system S, and C be an 
exact composition for T. Then, 

- For all C € QJq f) , it holds that C e MaxComp(5, T); and 

~ UceflT. _ A ?s,T) = UceMAxC0MP(5,T) A ?S,T)> that is > al1 imported controllers 
account together for all realizable target traces. 

Proof. The proof uses an auxiliary definition to enhance a behavior to account 
for a set of traces. If B = (B, A, bo, q) is a behavior and A is a set of traces of some 
other behavior B' (wlog we assume B' and B have disjoint set of states), we define 
B + a = (B,A, bo, q) as follows: 

- B = B U {&' I b' is a state in some trace in A}; 

- A = A U {a I a occurs in some trace in A}; 

- Q = QU{(b , ai ,b[) I b' ^b[--- G A}yj{{b[,a l+1 ,b' l+1 ) I b' ^> b[ ^ 

■ ■■ e A,i > 1} . 

Informally, we extend B with a disjoint sub-transition system that can produce ex- 
actly those traces in A. See this is well-defined as B' is finite, and so will B+a- For 
the first claim, we assume there exists C e Qj~ +. such that C £ MaxComp(5, T). 

Hence, there exists a controller C" G MaxC0MP(5, T) such that r ^ C A^ s r> . 
We next enhance T with the set of traces realized by C, that is, we build T, A c> , 

and extend C to C' such that C' mimics C for transition requests arising out from 
T's extension (i.e., requests from traces in A^ s T ^). It can be then shown that T +A c' 

is indeed an approximation of T, and that it has to be simulated by T (or otherwise 
T would not be optimal approximation). Because there is a way to evolve T so as to 
mimic all traces in A9 S ^ , there must exist an induced controller C* from C into T 

such that A^ s r ^ C A^ s r ^ . This together with the original assumption implies that 

A9 S r > C A? s r ^ , or what is the same, C* > C, a contradiction since C is an imported 
controller. 

For the second claim, assume there exists a realizable trace r of T such that r is 
nof realized by any imported controller. Let C be a controller realizing r. We build the 
enhanced behavior 7+{ T } an d extend C to C' so that C" mimics C for requests arising 
from T's extension. Now, 7+{ T } is an approximation of T and T does not simulate 
7+{ T } (else t would be accounted for by some induced controller), an absurd since T 
is an optimal approximation. □ 

Theorem 5. Let S = (B\ , . . . , B n ) be a system and T = (T, A, to, Qt) a target mod- 
ule. Then, behavior T = (T, A, t , Q) is an optimal approximation for T on S, where: 
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- f= {(61, . . .,b n ,t s ) I (61, . . . ,b n ,t s ,a,t d ,k) € [^ SiT } U {t }; 

- to = (&10, • • • j b n o, t ) i's the initial state ofT; 

- g((bi, . . . ,b n ,t s ),a, (b[, . . . ,b' n ,td)) iff for some action a' e A, and indexes 
k,k' € {1, . . . , n}, it is the case that: 

• (6i,...,6 n ,t s ,a,t d ,A;),(6i,...,6^,t / s ,a / ,t / d ,A; / ) e [<p\ MsT ;and 

• 5{{b 1 ,...,b n ,t s ,a,t d ,k),ji,...,j n+2 ) = (b[, . . . ,b' n ,t' s ,a' ,t' d ,k') for some 

]!,-■■ > jn+2- 

Proof. Each state t of the behavior T is of the form (61, . . . , b n , t), where 
61 , . . . , b n are states of behaviors B\ , . . . , B n and t is a state of the target behavior 
T\ we denote t by compf(t). Let T = (T, A, to, Qt) be the original target behavior. 
Due to the definition of g in T and Q in the model M.s,T, it holds that t t' £ g 
if comp r (i) comp T {t') e £t- Now, consider the relation RCTxT such that 
(t, t) € 72. iff comp T (i) = t. Then, for a tuple (t, t) e 72, for all transitions t f 
in T there exists a transition t — % t' in T such that (t',t') € 72. See that 72 is the 
simulation relation of T by T,i.e., T <T- 

Next, we show that T has an exact composition on 5. The set [y>]x s r contains all 
states from where the controller and target can choose their moves so that the behaviors 
are never in the error states, i.e., the target can choose which transition to request next 
such that the controller is able to successfully delegate that transition to a behavior, en- 
suring realisability of future request(s). Therefore, for all transitions (61, . . . , b n , t) 
(b[, . . . , b' n , t') in T there exists states (b\, . . . , b n , t, a, t' , k),(b[, . . . , b' n , t' , a', t" , k') e 
[<^]x s r sucn th at th e behavior B^ successfully honors the transition request t t' 

and realisation of subsequent transition request t' t" can still be guaranteed. This, 
in addition with the fact that the initial state of the game is used to initialize the system 
and the target, is enough to show that T has an exact composition on S. 

Last, we show that T is an optimal approximation of T on S. Let T = (T, A, to, g) 
be the optimal approximation of T in S. Therefore, by definition of optimal approx- 
imation, T ~< T -< T. We use proof by contradiction to show that T and T are 
simulation equivalent. Assume that T does not simulate T, i.e., t ^ to- There- 
fore, there exists a trace f = t° -°— > • • • t n of T such that for all traces 
f = i° • • • t™ of T, there exists a transition t™ - — >■ t™^ 1 in T for which 

- a" +1 

there is no transition t™ — >• t rl+1 in T. That is, f cannot be simulated by any trace 
of T. Let us consider the ATL model M s f between T and 5. Since T has an ex- 
act composition in 5, the states W = [0\m s t will accommodate for all T's tran- 
sition requests. Let Wf C be the set of winning states catering for f's transi- 
tions, that is, (61, . . . , b n , t s , a, td, k) e Wf if t s — td = t l - — ► t 4 ^ 1 for some 

- a" +1 

i < n. See that the transition t™ — >• t™ +1 which breaks the simulation of T by 
T is also included. Now consider the set of states in the model M.s,T defined by: 
U = {(bi,...,b n ,t s ,a,t d ,k) I (bi,...,b nt t s ,a,t d ,k) e Wf,t s ^ t s ,t d ^ t d }. 
That is, the states are similar to the states in Wf except for the transition requests. The 
transition requests of T are replaced by the transitions requests from T such the corre- 
sponding states are in simulation. Note that these states are not only legal states but also 
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included in the set [0\m s ,t> i- e -' U QW: allocation of simulating transitions to same 
indexes as in the states of [$.m s r w iU a l so satisfy the formula in [0\m s ,t- Therefore, 
U contains states having transition requests t t' of T, corresponding to f's tran- 

- a n+1 ~ 

sition t n — > t n+1 such that t n -< t and t n+1 < t'. Consequently, there will be a f's 

„ „»+i - - ' 

transition t n — > t n+1 in T where t n ^ comp T (t n ) and t n+1 -< comp T (t n+1 ), which 

contradicts the assumption. Therefore, T and T are simulation equivalent and hence T 

is an optimal approximation. □ 

See that, if none of the possible "initial states" of A4s,n — where all available and 
target behaviors are in their initial states and a legal first action is being requested — do 
not belong to the winning set, then the initial state of the extracted target T (i.e., state 
to) will end up disconnected from all other states, if any. In that case, it is not hard to 
see that such approximation will be equivalent to an empty target. 

A.3 Implementation of the house entertainment example 

Below is the code for MCMAS implementation of the house entertainment example pre- 
sented in the paper. The implementation encodes the given problem in ISPL (Inter- 
preted systems programming language), the input language for MCMAS. ISPL allows 
defining two different kinds of agents: a number of standard agents and an optional 
environment agent. The environment agent offers a common space to share information 
amongst the standard agents via observable variables (Obsvars). Each ISPL agent 
definition consists of: (i) set of local states; (ii) set of executable actions; (Hi) rules 
to describe which action can be executed in a given state (Protocol); and (iv) an 
Evolution function describing how the states evolve. Note the similarity between 
the definition of a MCMAS agent and a behavior module. 

We encode the available behaviors and the target as standard agents and the con- 
troller in the environment agent. The environment agent, in particular, has two observ- 
ables, namely, the currently requested action (act) and the scheduled behavior (sch) 
to which such action is delegated. Note that the requested action depends on the re- 
quested target transition; as evident from the evolution function of the environment. The 
actions for the encoded available behaviors encode their possible evolutions, whereas 
the actions for the encoded target encode the next possible transition request. We use 
the single agent semantics (Semantics=SA) to specify that only one assignment is 

allowed in each evolution. 

We define an evaluation function (Error), evaluated over global states, to capture 
if any of the available behaviors reaches the error state. A behavior reaches an "error" 
state if it "skips" (performs special action "skip") when it is actually chosen to be 
the behavior satisfying the current request. See that a behavior "skips" only when all 
other actions are not possible w.r.t. its protocol. Observe also that MCMAS requires the 
definition of an initial state, from where the system is assumed to begin. In the initial 
state, all available behaviors and target behavior are in their corresponding initial states, 
and the action being requested and the scheduled behavior is a dummy action "start". 
Finally, we define the formula to be model checked: can the coalition formed by the 
target and the controller (environment agent in MCMAS) enforce the safety condition of 
"not error"? 
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Semantics = SA; 
Agent Environment 
Obsvars : 

sch : { GameDevice, MovieDevice, Audi oDe vice, Light Device, start } ; 
act : {movie, game, web, unplug, music, radio, stop, light on, light of f, start } ; 
end Obsvars 

Actions = { GameDevice, MovieDevice, Audi oDe vice, Light Device, start } ; 
Protocol : 

act = start: {start}; 

Other : { GameDevice , MovieDevice, Audi oDe vice, Light Device } ; 



end Protocol 




Evolution 






sch 




GameDevice if Action = 


GameDevice; 


sch 




MovieDevice if Action 


= MovieDevice; 


sch 




AudioDevice if Action 


= AudioDevice; 


sch 




LightDevice if Action 


= LightDevice ; 


act 




movie if T. Action = tl 


_movie_t 2 ; 


act 




game if T .Action = t2_ 


game_t 3 ; 


act 




web if T. Action = t2_web_t3; 


act 




music if T. Action = tl 


_music_t 2 ; 


act 




radio if T. Action = t2 


_radio_t 3 ; 


act 




stop if T. Action = t3_ 


stop_t4; 


act 




lighton if T. Action - 


tO_lighton_tl; 


act 




lightoff if T. Action - 


t4_lightof f_tO 



end Evolution 



end Agent 



GAME DEVICE 



Agent GameDevic- 

Vars: 

state : 

end Vars 

Actions 

Protocol : 

state = 
state = 
state = 
state = 
state = 
Other : 

end Protoco 

Evolution : 
state = 
state = 
state = 
state = 
state = 

end Evoluti 
end Agent 



{ aO, al, a2 , a3, err } ; 



{ go_aO, go_al , go_a2, go_a3, skip} ; 



aO and Environment . act 
al and Environment . act 
al and Environment . act 
a2 and Environment . act 
a3 and Environment . act 
{ skip} ; 



movie 
game 
web : 
stop : 



: {go_al}; 

{go_a2 } ; 
{ go_a2, go_a3 } ; 
{go_aO } ; 



unplug: {go_aO} 



err if Action = skip and Environment . Act ion=GameDe vice; 
aO if Action = go_aO and Environment . Action=GameDevice; 
al if Action = go_al and Environment . Action=GameDevice; 
a2 if Action = go_a2 and Environment . Action=GameDevice; 
a3 if Action = go_a3 and Environment . Action=GameDevice; 
on 



AUDIO DEVICE 



Agent AudioDevice 

Vars: 

state : { bO , bl , b2 , err } ; 

end Vars 

Actions = { go_bO, go_bl , go_b2, skip } ; 
Protocol : 

state = bO and Environment . act = music : { go_bl } ; 

state = bl and Environment . act = radio : {go_b2}; 

state = b2 and Environment . act = stop : {go_bO}; 

Other : {skip}; 
end Protocol 
Evolution : 

state = err if Action = skip and Environment . Act ion=AudioDe vice ; 
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state = bO if Action = go_bO 

state = bl if Action = go_bl 

state = b2 if Action = go_b2 
end Evolution 
end Agent 



and Environment . Act ion=AudioDe vice ; 
and Environment . Act ion=AudioDe vice ; 
and Environment . Act ion=AudioDe vice ; 



MOVIE DEVICE 



Agent MovieDevice 
Vars: 

state : {cO, cl, c2, err } ; 
end Vars 

Actions = { go_cO, go_cl , go_c2, skip } ; 
Protocol : 

state = cO and Environment . act = movie : { go_cl } ; 

state = cl and Environment . act = radio : { go_c2 } ; 

state = c2 and Environment . act = stop : {go_cO}; 

Other : {skip}; 
end Protocol 
Evolution : 

state = err if Action = skip and Environment . Act ion=MovieDe vice ; 
state = cO if Action = go_cO and Environment . Action=MovieDevice; 
state = cl if Action = go_cl and Environment . Action=MovieDevice; 
state = c2 if Action = go_c2 and Environment . Action=MovieDevice; 
end Evolution 
end Agent 



— LIGHT DEVICE — 



Agent Light Device 
Vars: 

state: { dO, dl, err } ; 
end Vars 

Actions = { go_dO, go_dl , skip } ; 
Protocol : 

state = dO and Environment . act = lighten : { go_dl } ; 

state = dl and Environment . act = lightof f : { go_dO } ; 

Other : {skip}; 
end Protocol 
Evolution : 

state = err if Action = skip and Environment . Act ion^Light Device ; 
state = dO if Action = go_dO and Environment . Action=LightDevice; 
state = dl if Action = go_dl and Environment . Action=LightDevice; 
end Evolution 
end Agent 



— TARGET DEVICE — 



Agent T 
Vars: 

state : { 1 0_lighton_t 1 , t l_movie_t2 , t l_music_t2 , 1 2_radio_t 3 , 
1 2_game_t 3 , 1 2_web_t 3 , 1 3_s t op_t 4 , 1 4_1 ight o f f _t } ; 

end Vars 

Actions = { t 0_light on_t 1 , t l_movie_t 2 , t l_music_t 2 , t2_radio_t 3 , 
1 2_game_t 3 , 1 2_web_t 3 , 1 3_s t op_t 4 , 1 4_1 i ght o f f _t } ; 

Protocol : 

Environment .act = start : { t 0_lighton_t 1 } ; 

state = tO_lighton_tl and Environment . act = lighton : 

{ tl_movie_t2 , tl_music_t2 } ; 
state = tl_movie_t2 and Environment . act = movie : 

{t2_game_t3, t2_radio_t3, t2_web_t3 } ; 
state = tl_music_t2 and Environment . act = music : 

{t2_game_t3, t2_radio_t3, t2_web_t3 } ; 
state = t2_game_t3 and Environment . act = game : { t3_stop_t4 } ; 
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state 
state 
state 
state 



t2_radio_t3 and Environment . act = radio : {t3_stop_t4 } ; 
t2_web_t3 and Environment . act = web : { t3_stop_t4 } ; 
t3_stop_t4 and Environment . act = stop : { t4_lightof f_tO } ; 
t4_lightof f_tO and Environment . act - lightoff : {tO_lighton_tl } ; 



end Protocol 
Evolution : 

state = tO_lighton_tl if Action=tO_lighton_tl ; 

state = t l_movie_t2 if Act ion=t l_movie_t 2 ; 

state = tl_music_t2 if Action = tl_music_t2; 

state = t2_radio_t3 if Action = t2_radio_t3 ; 

state = t2_game_t 3 if Action = t2_game_t 3 ; 

state - t2_web_t3 if Action - t2_web_t3; 

state - t3_stop_t4 if Action - t3_stop_t4; 

state - t4_lightof f_tO if Action = t4_lightof f_tO; 

end Evolution 
end Agent 

Evaluation 

Error if GameDevice . state = err or AudioDevice . state = err or 
Light Device .state = err or MovieDevice . state=err ; 
end Evaluation 

InitStates 

GameDevice . state = aO and AudioDevice . state = bO and MovieDevice . state = cO 
and LightDevice . state = dO and T . state = tO_lighton_tl and 
Environment . act = start and Environment . sch = start ; 
end InitStates 

Groups 

Coalition = {T, Environment } ; -- Approximation 
end Groups 

Formulae 

<Coalition> G (!Error); 
end Formulae 



Running result: Figure [2]shows the witness output by MCMAS for the above transla- 
tion of the home entertainment example. Extracting the target from this witness, as per 
Theorem [5] yields the optimal target approximation shown in Figure [T] 
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Fig. 2. Winning strategy for the House Entertainment example. The transitions in the model cor- 
respond to the joint moves of the controller, available behaviors, and the target. 



